This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Working with Properties of User Stores

The following table provides descriptions of the key properties you use to configure primary user stores.

Property name

Description

MaxUserNameListLengthControls the number of users listed in the user store of a WSO2 product. This is useful when you have a large number of users and don't want to list them all. Setting this property to 0 displays all users.
ConnectionURL

Connection URL to the user store server. In the case of default LDAP in Carbon, the port is specified in the carbon.xml file, and a reference to that port is included in this configuration.

ConnectionName

The username used to connect to the database and perform various operations. This user does not have to be an administrator in the user store or have an administrator role in the WSO2 product that you are using, but this user MUST have permissions to read the user list and users' attributes and to perform search operations on the user store. The value you specify is used as the DN (Distinguish Name) attribute of the user. This property is mandatory.

ConnectionPasswordPassword for the ConnectionName user.
DisplayNameAttributeThis is an optional property. The Display Name Attribute is the name by which users will be listed when you search for users in the management console (Go to Configuration -> Users tab). 
PasswordHashMethodPassword hash method to use when storing user entries in the user store.
UserNameListFilter

Filtering criteria for listing all the user entries in the user store. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console.

UserEntryObjectClassObject class used to construct user entries. By default, it is a custom object class defined with the name wso2Person.
UserSearchBase

DN of the context or object under which the user entries are stored in the user store. In this case, it is the "users" container. When the user store searches for users, it will start from this location of the directory.

Different databases have different search bases.

UserNameSearchFilterFiltering criteria used to search for a particular user entry.
UserNameAttribute

The attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc.

The name of the attribute is considered as the username.

For information on using email address to authenticate users, click here.

UsernameWithEmailJavaScriptRegEx

This property defines the JavaScript regular expression pattern when the EnableEmailUserName property is set to true in carbon.xml configuration file. If you need to support both email as a user name and normal user names, you can set this property as follows.

<Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property>

PasswordJavaScriptRegEx

Policy that defines the password format.
UsernameJavaScriptRegExThe regular expression used by the front-end components for username validation.
UsernameJavaRegEx

A regular expression to validate usernames. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties.

<Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|/]{3,30}$</Property>
RolenameJavaScriptRegExThe regular expression used by the front-end components for role name validation.
RolenameJavaRegEx

A regular expression used to validate role names. By default, strings have a length of 5 to 30. Only non-empty characters are allowed.

<Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|/]{3,30}$</Property>

CaseInsensitiveUsername

(JDBC) This property can be set to 'false' for case insensitive JDBC user stores for performance improvements.

<Property name="CaseInsensitiveUsername">false</Property>
ReadGroupsSpecifies whether groups should be read from the user store. If this is disabled by setting it to false, none of the groups in the user store can be read, and the following group configurations are NOT mandatory: GroupSearchBase, GroupNameListFilter, or GroupNameAttribute.
ReferralGuides the request to a domain controller in the correct domain
WriteGroupsSpecifies whether groups should be written to user store.
EmptyRolesAllowedSpecifies whether the underlying user store allows empty groups to be created. In the case of LDAP in Carbon, the schema is modified such that empty groups are allowed to be created. Usually LDAP servers do not allow you to create empty groups.
GroupSearchBaseDN of the context under which user entries are stored in the user store.
GroupSearchFilterThe query used to search for groups.
GroupNameListFilterFiltering criteria for listing all the group entries in the user store. Groups are created in LDAP using the "groupOfName" class. The group search operation only returns objects created from this class.
GroupEntryObjectClassObject class used to construct group entries.
GroupNameSearchFilterFiltering criteria used to search for a particular group entry.
GroupNameAttributeAttribute used for uniquely identifying a user entry. This attribute is to be treated as the group name.
MembershipAttributeAttribute used to define members of groups.
MembershipAttributeRangeAttribute used by Active Directories where they need limit membership attributes. The default value for this is 1500.
UserRolesCacheEnabledThis is to indicate whether to cache the role list of a user. By default this is set to true. Set it to false if the user roles are changed by external means and those changes should be instantly reflected in the Carbon instance.
UserDNPattern(LDAP) The patten for the user's DN, which can be defined to improve the search. When there are many user entries in the LDAP user store, defining a UserDNPattern provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
ReplaceEscapeCharactersAtUserLogin(LDAP) If the user name has special characters it replaces it to validate the user logging in. Only "\" and "\\" are identified as escape characters.
TenantManagerIncludes the location of the tenant manager.

ReadOnly

(LDAP and JDBC) Indicates whether the user store of this realm operates in the user read only mode or not.

IsEmailUserName

(JDBC) Indicates whether the user's email is used as their username (apply when realm operates in read-only mode).

DomainCalculation

(JDBC) Can be either default or custom (this applies when the realm operates in read only mode).

PasswordDigest

(JDBC) Digesting algorithm of the password. Has values such as, PLAIN_TEXT, SHA etc.

StoreSaltedPassword

(JDBC) Indicates whether to salt the password.

Tip: Make sure you secure the password with salt and key.

UserNameUniqueAcrossTenants

(JDBC) An attribute used for multi-tenancy.

PasswordJavaRegEx

(LDAP and JDBC) A regular expression to validate passwords. By default, strings having a length between 5 to 30 with non-empty characters are allowed.

PasswordJavaScriptRegEx

The regular expression used by the front-end components for password validation.

UsernameJavaRegEx

A regular expression to validate usernames. By default, strings having a length 5 to 30 between with non-empty characters are allowed.
UsernameJavaScriptRegExThe regular expression used by the front-end components for username validation.

RolenameJavaRegEx

A regular expression to validate role names. By default, strings having a length between 5 to 30 with non-empty characters are allowed.

RolenameJavaScriptRegEx

The regular expression used by the front-end components for rolename validation.
MultiTenantRealmConfigBuilder
Tenant Manager specific realm config parameter. Can be used to build different types of realms for the tenant.
SharedGroupEnabledThis property is used to enable/disable the shared role functionality.
SharedGroupSearchBaseShared roles are created for other tenants to access under the mentioned DN.
SharedTenantObjectClassObject class for the shared groups created.
SharedTenantNameAttributeName attribute for the shared group.
SharedTenantNameListFilterThis is currently not used.

LDAPConnectionTimeout

If the connection to an LDAP is inactive for the length of time (in milliseconds) specified by this property, the connection will be terminated.